Updated the repository and website with clarifying info about some of the subjects talked about in this thread, specially about alternative hardening tools/scripts etc. They are actually important info that I never thought was necessary to mention.
WDAC (Windows Defender Application Control) is easier to implement and maintain in enterprises and organizations where there is a clear guideline and select bunch of software that are allowed to run. The module I made which is just a wrapper for the actual cmdlets, automates and makes everything so much easy.
All enterprises and orgs etc. need to do is to take AllowMicrosoft or WindowsOnly default policies and either create a supplemental policy or merge a policy that allows all other 3rd part software that they need to run. Let's say a company has selected 50 programs to be allowed to be installed/run/updated on all systems, it's easy and there are more than one way to create trust for those programs. WDAC provides many granular controls over the workflow. You don't need to keep any Windows images, backups etc. Don't need to create modified Windows images to deploy WDAC. WDAC policy doesn't care which Windows image you use, it does its job regardless, with only 1 or 2 file depending on whether it's signed or unsigned.
Each department on a huge enterprise might share the same 50 programs that are common among all employees, but also might need special program packages. No problem, make a supplementary WDAC policy to allow those programs and then deploy the policy only to those workstations.
This cuts down on the expenses as there is no need for security solutions from outside since all of the features are built in Windows.
Enterprises and big organizations aren't only limited to WDAC though, but this thread is only about it. Microsoft has a huge variety of security solutions for them.
For home users, depending on the level of WDAC you consider to use, it can be either very easy or very hard to maintain. If you are home users with very dynamic workflow, install, update, uninstall many new programs constantly, then consider using WDAC for Lightly managed device, if you just want to add some more extra protection. It uses ISG and takes care of allowing all the good programs to run, it will also let you add some programs to the allow list, manually, if they get blocked for being malicious. If not that, then there is Smart App Control, which is stronger and doesn't currently let you allow specific programs manually.
If you are a home user that only installs and updates a few programs every now and then and for the most part have a constant list of programs necessary for your daily usage, then you can implement WDAC for fully managed devices.
But honestly, WDAC for fully managed devices, for a well informed user, is overkill. Use the hardening script and that's all you need. There is no need for fully managed WDAC policy if you aren't going to intentionally compromise yourself and let malware in. I say Intentionally, meaning you yourself turn off the security features of Windows, the ones hardening script enables and enforces, and literally download malware containing zero-days (which is hard to come by).
One thing is for sure though, there is no need for any 3rd party security solution in Windows, they are all marketing, making you think you need other AV solutions otherwise you are in danger. The same tactics used by VPN providers, the usual Scare tactic. Some people might not like hearing it but it's the fact. All of the advanced security features are already built deep inside the core of Windows, available to you for free. All you need to do is to turn them on and enjoy the safe experience.
Security shouldn't be hard and time consuming, that's one reason why I made the script to automate things and spend my time on more important things.
data.oecd.org
